Security is a never ending journey

I'm at the 2009 Microsoft MVP Summit. Around 2000 MVP's descend on Microsoft's Redmond Campus for four days of sessions with various product teams. The sessions include a lot of two way feedback, which can be brutal from both sides. It's a lot of fun. Today I went to several security sessions. I got to hear Steve Riley talk and then answer questions from an audience that included Jesper Johansson. It was amazing. At one session Ziv Mador and Steve Adegbite were talking about the Conficker worm and Microsoft's response to the vulnerability the worm initially used to spread itself. It was fascinating to hear the process they went through to identify the vulnerability and patch it then have to wait and see the exploits developed when the bad guys reverse engineer the patch. During the session Steve Adegbite said something that really resonated with me. He said "Security is like a never ending marathon." I think that is one of the best statements I've heard regarding security. Security is hard work. You have to give it 100% all the time. There are no shortcuts. You will never be finished. To some that sounds depressing. Steve Adegbite said it was a challenge he and his team relished. I got the sense that almost everyone in the room agreed. I realised I was sitting in room full of the cream of the crop in the Windows security world. It was fun hobnobbing with the cream of the crop. Thank you Microsoft.